DOD MANUAL 1341.02, VOLUME 1 DOD IDENTITY MANAGEMENT: DOD SELF-SERVICE (DS) LOGON PROGRAM AND CREDENTIAL Originating Component: Office of the Under Secretary of Defense for Personnel and Readiness Effective: March 25, 2019 Releasability: Approved by: Cleared for public release. This manual is available on the Directives Division Website at https://www.esd.whs.mil/dd/. James N. Stewart, Assistant Secretary of Defense for Manpower and Reserve Affairs, Performing the Duties of the Under Secretary of Defense for Personnel and Readiness Purpose: This manual is composed of several volumes, each containing its own purpose. In accordance with the authority in DoD Directive (DoDD) 5124.02 and DoD Instruction (DoDI) 1000.25: This manual implements policy, assigns responsibilities, and provides procedures for DoD personnel identification. This volume establishes implementation guidelines for DS Logon.
TABLE OF CONTENTS SECTION 1: GENERAL ISSUANCE INFORMATION... 3 1.1. Applicability.... 3 1.2. Policy.... 3 1.3. Information Collections.... 3 SECTION 2: RESPONSIBILITIES... 4 2.1. Under Secretary of Defense for Personnel and Readiness (USD(P&R)).... 4 2.2. Director, Department of Defense Human Resources Activity (DoDHRA).... 4 2.3. DoD Component Heads.... 4 2.4. Uniformed Services Heads.... 4 SECTION 3: PROCEDURES... 5 3.1. General.... 5 3.2. Overview.... 5 a. Eligibility... 5 b. Types of Credentials.... 6 3.3. Lifecycle.... 7 a. Application.... 7 b. Use.... 8 c. Maintenance.... 8 d. Decommissioning.... 8 e. Reactivation... 8 3.4. Associations.... 9 a. Family.... 9 b. Surrogacy.... 9 3.5. Permissions.... 10 a. Sponsor Access.... 10 b. Spousal Access... 10 c. Granted Access... 10 GLOSSARY... 12 G.1. Acronyms.... 12 G.2. Definitions.... 13 REFERENCES... 15 TABLE OF CONTENTS 2
SECTION 1: GENERAL ISSUANCE INFORMATION 1.1. APPLICABILITY. This volume applies to: a. OSD, the Military Departments (including the Coast Guard at all times, including when it is a Service in the Department of Homeland Security by agreement with that Department), the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the DoD (referred to collectively in this issuance as the DoD Components ). b. The Commissioned Corps of the U.S. Public Health Service (USPHS), under agreement with the Department of Health and Human Services, and the National Oceanic and Atmospheric Administration (NOAA), under agreement with the Department of Commerce. 1.2. POLICY. In accordance with DoDI 1000.25, DoDI 1341.02, Office of Management and Budget (OMB) M-04-04, DoDI 5400.11, and DoD 5400.11-R, it is DoD policy that DoD will provide a secure means of authentication to personally identifiable information (PII) and personal health information (PHI) for all beneficiaries and other individuals with a continuing affiliation with DoD. 1.3. INFORMATION COLLECTIONS. DD Form 3005, Application for Surrogate Association for DoD Self-Service (DS) Logon, referred to in Paragraph 3.4 has been assigned OMB control number 0704-0559 in accordance with the procedures in Volume 2 of DoD Manual (DoDM) 8910.01. The expiration date of this control number is listed at http://www.reginfo.gov/public/do/prasearch. SECTION 1: GENERAL ISSUANCE INFORMATION 3
SECTION 2: RESPONSIBILITIES 2.1. UNDER SECRETARY OF DEFENSE FOR PERSONNEL AND READINESS (USD(P&R)). The USD(P&R) oversees implementation of the procedures within this volume. 2.2. DIRECTOR, DEPARTMENT OF DEFENSE HUMAN RESOURCES ACTIVITY (DODHRA). Under the authority, direction, and control of the USD(P&R) and in addition to the responsibilities in Paragraph 2.3., the Director, DoDHRA, through the Director, Defense Manpower Data Center (DMDC): a. Approves the addition or elimination of population categories for DS Logon eligibility. b. Develops and fields the required Defense Enrollment Eligibility Reporting System (DEERS) and Real-time Automated Personnel Identification System infrastructure and all elements of field support required to support the management of the DS Logon credential including, but not limited to, issuance, storage, maintenance, and customer service. c. Obtains and distributes DS Logon credentials, and provides a secure means for delivery. 2.3. DOD COMPONENT HEADS. The DoD Component heads: a. Comply with this volume and distribute this guidance to applicable stakeholders. b. Provide manpower for issuance of DS Logon credentials and instruction for use to all eligible individuals who are requesting a DS Logon credential in conjunction with the issuance of a DoD identification (ID) card or who are applying for a DS Logon credential as a surrogate, when responsible for a DoD ID card site(s). 2.4. UNIFORMED SERVICES HEADS. The Secretaries of the Military Departments, in addition to the responsibilities in Section 3, and the heads of the non-dod uniformed services: a. Comply with this volume and distribute this guidance to applicable stakeholders. b. Provide manpower for issuance of DS Logon credentials and instruction for use to all eligible individuals who are requesting a DS Logon credential in conjunction with the issuance of a DoD ID card or who are applying for a DS Logon credential as a surrogate. c. Ensure all active duty, National Guard and Reserve, and Commissioned Corps members of their uniformed services obtain a DS Logon credential when separating from active duty or from the uniformed service. SECTION 2: RESPONSIBILITIES 4
SECTION 3: PROCEDURES 3.1. GENERAL. a. All active duty, National Guard and Reserve, and Commissioned Corps members of the uniformed services must obtain a DS Logon credential when separating from active duty or from the uniformed service. b. A DS Logon credential will be made available to all beneficiaries that are eligible for DoD-related benefits or entitlements to facilitate secure authentication to critical websites. This includes members of the uniformed services, veterans with a continuing affiliation to the DoD, spouses, dependent children aged 18 and over, and other eligible individuals identified in Paragraph 3.2. 3.2. OVERVIEW. Only one DS Logon credential may exist for an individual, regardless of the number of affiliations an individual may have to the DoD. a. Eligibility. Beneficiaries of DoD-related benefits or entitlements and other individuals with a continuing affiliation with the DoD may be eligible for a DS Logon credential. Eligible populations include: (1) Current Service members, including active duty, National Guard and Reserve members, and members of the Commissioned Corps of USPHS and NOAA. (2) Veterans, including former members, retirees, Medal of Honor recipients, disabled American veterans, and other veterans with a continuing affiliation to the DoD. (3) DoD civilian employees, including NOAA Wage Mariners, and appropriated fund and non-appropriated fund employees. (4) Eligible retired DoD civilian employees in accordance with DoDI 1330.17 and DoDI 1330.21. (5) Eligible foreign affiliates, when in a DoD benefits-eligible status. (6) Eligible dependents in accordance with Volume 2 of DoDM 1000.13, including spouses, dependent children aged 18 or older, and dependent parents. (7) DoD beneficiaries (DB), including eligible widows, widowers, and former spouses in accordance with Volume 2 of DoDM 1000.13. (8) Surrogates, as described in Paragraph 3.4. (9) Other populations as determined by the Director, DMDC. SECTION 3: PROCEDURES 5
b. Types of Credentials. DS Logon credentials may be credentialed at National Institute of Standards and Technology (NIST) e-authentication levels 1, 2, and 3, in accordance with NIST Special Publication 800-63-2, and at Credential Strength A and B, in accordance with DoDI 8520.03. All self-service information meets the criteria for sensitivity level 1, in accordance with DoDI 8520.03. Any eligible individual, in accordance with Paragraph 3.2.a., may apply for, and be provisioned, any type of DS Logon credential. (1) Basic. A Basic DS Logon credential: (a) Is credentialed at NIST e-authentication level 1 in accordance with NIST Special Publication 800-63-2. (b) Can be obtained by completing an online registration without being positively proofed by a government official or application. This type of credential is accepted on a limited basis for authentication to provide read-only view of information. Examples of use include submitting a medical claim, viewing the status of a claim or appeal, or tracking the status of a purchase from a Military Service exchange. (2) Premium. A Premium DS Logon credential: (a) Is credentialed at NIST e-authentication level 2 in accordance with NIST Special Publication 800-63-2 and at Credential Strength A in accordance with DoDI 8520.03. (b) Can be obtained by requesting a DS Logon credential via Common Access Card (CAC)-based Public Key Infrastructure certificates, or by completing in-person proofing or remote proofing, described in Paragraph 3.3.a. This type of credential facilitates access to any website that accepts DS Logon. Examples of use include viewing current benefits and rates, and viewing PII and PHI that is stored in DoD systems. (c) Can facilitate access to all information that is available to those with a Basic DS Logon credential. (3) Premium Plus. A Premium Plus DS Logon credential: (a) Is credentialed at NIST e-authentication level 2 in accordance with NIST Special Publication 800-63-2 and at Credential Strength A in accordance with DoDI 8520.03, but will be credentialed at NIST e-authentication level 3 in accordance with NIST Special Publication 800-63-2 and at Credential Strength B in accordance with DoDI 8520.03 in the future. (b) Can be obtained upon request by any Premium DS Logon credential holder once credentialed at NIST e-authentication level 3 and at Credential Strength B. (c) Will provide increased security to individuals through two factor authentication. Individuals requesting a Premium Plus DS Logon credential must register a supported mobile device with their DS Logon credential profile. (d) Will facilitate access to all information available to those with Premium DS Logon and Basic DS Logon credentials. SECTION 3: PROCEDURES 6
3.3. LIFECYCLE. a. Application. Eligible individuals, as identified in Paragraph 3.2.a., may apply for a DS Logon credential: (1) Online. Individuals with Internet access may apply for a sponsor or dependent DS Logon credential by submitting a: (a) My Access Center Website Request. This type of request supports the provisioning of a Basic DS Logon credential. The My Access Center website can be accessed at https://myaccess.dmdc.osd.mil/. (b) CAC Request. Individuals with a CAC, a computer with Internet access and a CAC reader may apply for either a sponsor or a dependent DS Logon credential via the My Access Center website or any application that has implemented DS Logon. 1. A sponsor DS Logon credential is provisioned immediately upon request. This type of request supports the provisioning of a Premium DS Logon credential. 2. A request for a DS Logon credential on behalf of a dependent generates an activation letter with an activation code that is mailed to the sponsor at his or her home address in DEERS. Once complete, this type of request supports the provisioning of a Premium DS Logon credential. (c) Request Using a Defense Finance and Accounting Services (DFAS) mypay Account. Eligible individuals may apply for a sponsor or dependent DS Logon credential using a DFAS mypay personal identification number via the My Access Center website. A request for a DS Logon credential generates an activation letter with an activation code that is mailed to the sponsor at his or her home address in DEERS. Once complete, this type of request supports the provisioning of a Premium DS Logon credential. (2) Via Remote Proofing. Eligible individuals with an existing DEERS record may apply for a sponsor or dependent DS Logon credential using remote proofing via the My Access Center website. Individuals requesting a DS Logon credential via remote proofing must correctly answer a number of system-generated questions. Once remote proofing is completed, a Premium DS Logon credential is provisioned immediately. (3) Via In-person Proofing. Eligible individuals may apply for a sponsor or dependent DS Logon credential using in-person proofing. In-person proofing is performed at Department of Veterans Affairs regional offices where the DS access station application is implemented, and at DoD ID card sites when a DS Logon credential is requested either in conjunction with DoD ID card issuance or during initial enrollment of a surrogate. Once in-person proofing is completed, a Premium DS Logon credential is provisioned immediately. Individuals requesting a DS Logon credential via in-person proofing must present: (a) Identity Documents. DS Logon credential applicants must satisfy the identity verification criteria in Paragraph 4.a. of Volume 1 of DoD Manual 1000.13 by presenting two forms of government-issued ID, one of which must contain a photograph. The requirement for SECTION 3: PROCEDURES 7
the primary ID to have a photo cannot be waived. Identity documents must be original or a certified copy. All documentation not in English must have a certified English translation. (b) Proof of Address. DS Logon credential applicants must present proof of address, if address on the presented ID is different than the address in DEERS. (c) DD Form 214, Certificate of Release or Discharge from Active Duty. DS Logon credential applicants must present a DD Form 214 if a veteran who was separated before 1982. If separated from the Reserve Component, a DS Logon credential applicant may present a Reserve Component separation document in lieu of a DD Form 214. b. Use. DS Logon credential holders may use their DS Logon credential at the My Access Center website and any other DoD self-service website that accepts DS Logon. c. Maintenance. DS Logon credential holders may use the My Access Center website to maintain and update their DS Logon credential and manage their personal settings. The DS Logon credential holder may: (1) Activate or deactivate an account. (2) Reset password. (3) Update challenge questions and answers. (4) Upgrade from a Basic DS Logon to a Premium DS Logon credential. (5) Select or update preferred sponsor, if a dependent of two sponsors. (6) Manage personal and advanced security settings. (7) Manage contact information. (8) Manage relationships and access granting. (9) Manage the DS Logon credential using additional capabilities as implemented by the Director, DMDC. d. Decommissioning. DS Logon credentials may be decommissioned by the DS Logon credential holder, via self-service; by an operator, at the request of the DS Logon credential holder; or by the system, when the credential holder no longer has an affiliation to the DoD or is identified as deceased in DEERS. e. Reactivation. DS Logon credentials may be reactivated if the person is living and still eligible for the credential. SECTION 3: PROCEDURES 8
3.4. ASSOCIATIONS. DS Logon supports several types of associations, including DEERSidentified family relationships and operator-initiated and -approved surrogates. a. Family. Individuals are connected to one another based on their family relationship information in DEERS. A family relationship must exist in DEERS before the relationship can exist in DS Logon. (1) Multiple Sponsors. An individual has only one DS Logon credential, regardless of the number of sponsors the individual has (e.g., a dependent child whose parents are both Service members). (2) Transferring Families. If an individual has a second family in DEERS, the individual can move their DS Logon credential to the second family. This changes the assignment of the DS Logon credential from the first family to the second family and removes any granted permissions from the first family. b. Surrogacy. Surrogacy is a feature that allows an individual who may not be affiliated with the DoD and who may not be related to the DS Logon credential holder or eligible individual by a DoD-recognized family relationship to be granted access to a DS Logon credential holder s or an eligible individual s information. A surrogate may be established as the custodian of a deceased Service member s unmarried minor child(ren) who is under 18, who is at least 18 but under 23 and attending school full-time, or who is incapacitated. A surrogate may also be established as the agent of an incapacitated dependent (e.g., spouse, parent) or of a wounded, ill, or incapacitated Service member. (1) Eligibility. An operator must first establish an identity in DEERS before establishing the surrogacy association in DS Logon. To establish a surrogate association, the surrogate must present to an operator for approval: (a) A completed and signed DD Form 3005. (b) Any additional eligibility documents required by the DD Form 3005 which describe the scope of the surrogate s authority. (c) Proof of identity, in accordance with the requirements for in-person proofing in Paragraph 3.3.a.(3). (2) Types of Surrogates. (a) Financial Agent (FA). An eligible individual names an FA to assist with specific financial matters. matters. (b) Legal Agent (LA). An eligible individual names an LA to assist with legal (c) Caregiver (CG). An eligible individual names a CG to assist with general health care requirements (example, viewing general health-care related information, scheduling SECTION 3: PROCEDURES 9
appointments, refilling prescriptions, and tracking medical expenses), but does not make health care decisions. (d) Health Care Agent (HA). An eligible individual (the patient) names an HA in a durable power of attorney for health care documents to make health care decisions. (e) Legal Guardian (LG). An LG is appointed by a court of competent jurisdiction in the United States (or jurisdiction of the United States) to make legal decisions for an eligible individual. (f) Special Guardian (SG). An SG is appointed by a court of competent jurisdiction in the United States (or jurisdiction of the United States) for the specific purpose of making health care-related decisions for an eligible individual. 3.5. PERMISSIONS. A sponsor, a sponsor s spouse, and a sponsor s dependent over the age of 18 can manage who has access to their information (i.e., who has access to view and edit their information and who is eligible to act on their behalf). The provisions of this paragraph may be superseded by order of a court of competent jurisdiction. a. Sponsor Access. Sponsors will automatically have access to the information of all dependents under the age of 18. b. Spousal Access (1) Automatic. A sponsor s spouse will automatically have access to the information of all dependent children under the age of 18 whose relationship to the sponsor began on or after the date of marriage of the sponsor and the sponsor s spouse. (2) Sponsor Granted. The sponsor may grant the sponsor s spouse access to the information of dependent children under the age of 18 whose relationship to the sponsor began before the date of marriage of the sponsor and the sponsor s spouse. c. Granted Access. A sponsor, a sponsor s spouse, and a sponsor s dependent over the age of 18 may grant access to their information via the My Access Center website in accordance with Paragraphs 3.5.c.(1) through (3). Surrogate access to the information of a sponsor, a sponsor s spouse, and a sponsor s dependent (regardless of age) must be granted via in-person proofing, including the submission of eligibility documents to an operator for approval in accordance with Paragraph 3.4.b. (1) Access Granting by a Sponsor. Sponsors may grant their spouse access to the sponsor s information and the information of any sponsor s dependent under the age of 18. Access to the sponsor s information and the information of any sponsor s dependent under the age of 18 may not be granted to any other sponsor s dependent, unless that dependent has been identified as a surrogate. SECTION 3: PROCEDURES 10
(2) Access Granting by a Spouse. Spouses may grant the sponsor access to the spouse s information. Access to the spouse s information may not be granted to any other sponsor s dependent, unless that sponsor s dependent has been identified as a surrogate. (3) Access Granting by a Sponsor s Dependent Over the Age of 18. A sponsor s dependent over the age of 18 may grant the sponsor and the sponsor s spouse access to the dependent s information. Access to the information of a sponsor s dependent over the age of 18 may not be granted to any other sponsor s dependent, unless that sponsor s dependent has been identified as a surrogate.. SECTION 3: PROCEDURES 11
GLOSSARY G.1. ACRONYMS. CAC CG Common Access Card caregiver DB DEERS DFAS DoDD DoDI DoDM DMDC DoDHRA DS DoD beneficiary Defense Enrollment Eligibility Reporting System Defense Finance and Accounting Services DoD directive DoD instruction DoD manual Defense Manpower Data Center Department of Defense Human Resources Activity DoD Self-Service FA financial agent HA health care agent ID identification LA LG legal agent legal guardian NIST NOAA National Institute of Standards and Technology National Oceanic and Atmospheric Administration OMB Office of Management and Budget PHI PII personal health information personally identifiable information SG special guardian GLOSSARY 12
USD(P&R) USPHS Under Secretary of Defense for Personnel and Readiness United States Public Health Service G.2. DEFINITIONS. Unless otherwise noted, these terms and their definitions are for the purpose of this issuance. beneficiary. Individuals affiliated with the DoD and any of the uniformed Services identified in Paragraph 1.1. Applicability that may be eligible for benefits or entitlements. certified copy. A copy of a document that is certified as a true original and: Conveys the appropriate seal or markings of the issuer; Has a means to validate the authenticity of the document by a reference or source number; Is a notarized legal document or other document approved by a Judge Advocate, member of any of the armed forces, or other eligible person in accordance with Section 1044a of Title 10, United States Code; or Has the appropriate certificate of authentication by a U.S. Consular Officer in the foreign country of issuance which attests to the authenticity of the signature and seal. DB. Beneficiaries that qualify for DoD benefits or entitlements who may be credentialed in accordance with NIST Special Publication 800-63-2. This population may include widows, widowers, and eligible former spouses. dependent. Defined in Volume 1 of DoDM 1000.13. DS Logon credential. A username and password to allow Service members, beneficiaries, and other individuals affiliated with the DoD secure access to self-service websites. DS Logon credential holder. A Service member, beneficiary, and other individual affiliated with the DoD who has applied for and received a DS Logon credential. e-authentication level. A set of electronic authentication process requirements that may include stipulations for identity proofing and registration, tokens, token and credential management, authentication protocols, and assertion mechanisms in accordance with DoDI 8520.03. E-authentication level 1 identity credentials require no identity proofing. At this level, the authentication mechanism or protocol provides little or no assurance that the claimant is accessing the protected transaction or data. E-authentication level 1 identity credentials are not approved for use in DoD information systems. E-authentication level 2 identity credentials provide single factor authentication. There are specific identity proofing, registration, issuance, and credential service provider requirements that must be met for identity credentials to be used in identity authentication processes that are GLOSSARY 13
considered e-authentication level 2. These types of identity credentials can be used if issued from a DoD-approved identity credential provider. E-authentication level 3 identity credentials provide identity authentication using at least two authentication factors. There are specified identity proofing, registration, issuance, and credential service provider requirements that must be met for identity credentials to be used in identity authentication processes that are considered e-authentication level 3. Level 3 authentication processes must use credentials that use one-time password or PKI certificate technology solutions and must include proof of possession of approved types of identity credentials through a cryptographic protocol. former member. Defined in Volume 1 of DoDM 1000.13. former spouse. Defined in Volume 1 of DoDM 1000.13. LG. The terms guardian and conservator are used synonymously. Some States may limit the authority of a guardian to specific types of health care decisions; a court may also impose limitations on the health care decisions. Reserve member. A member of the Individual Ready Reserve, Ready Reserve, Selected Reserve, or Standby Reserve, as defined in the DoD Dictionary of Military and Associated Terms. surrogate. A person who has been delegated authority, either by an eligible individual who is at least 18 years of age and mentally competent to consent or by a court of competent jurisdiction in the United States (or possession of the United States), to act on behalf of the eligible individual in a specific role. uniformed services. Defined in the DoD Dictionary of Military and Associated Terms. widow. Defined in Volume 2 of DoDM 1000.13. widower. Defined in Volume 2 of DoDM 1000.13. GLOSSARY 14
REFERENCES DoD 5400.11-R, Department of Defense Privacy Program, May 14, 2007 DoD Directive 5124.02, Under Secretary of Defense for Personnel and Readiness (USD(P&R)), June 23, 2008 DoD Instruction 1000.25, DoD Personnel Identity Protection (PIP) Program, March 2, 2016 DoD Instruction 1330.17, DoD Commissary Program, June 18, 2014, as amended DoD Instruction 1330.21, Armed Services Exchange Regulations, July 14, 2005 DoD Instruction 1341.02, Defense Enrollment Eligibility Reporting System (DEERS) Program and Procedures, August 18, 2016 DoD Instruction 5400.11, DoD Privacy and Civil Liberties Programs, January 29, 2019 DoD Instruction 8520.03, Identity Authentication for Information Systems, May 13, 2011, as amended DoD Manual 1000.13, Volume 1, DoD Identification (ID) Cards: ID Card Life-Cycle, January 23, 2014 DoD Manual 1000.13, Volume 2, DoD Identification (ID) Cards: Benefits for Members of the Uniformed Services, Their Dependents, and Other Eligible Individuals, January 23, 2014 DoD Manual 8910.01, Volume 2, DoD Information Collections Manual: Procedures for DoD Public Information Collections, June 30, 2014, as amended National Institute of Science and Technology Special Publication 800-63-2, Electronic Authentication Guideline, August 2013 Office of the Chairman of the Joint Chiefs of Staff, DoD Dictionary of Military and Associated Terms, current edition Office of Management and Budget M-04-04, E-Authentication Guidance for Federal Agencies, December 16, 2003 United States Code, Title 10 REFERENCES 15